+ Post New Thread
Results 1 to 15 of 15
Windows Server 2000/2003 Thread, Server Configuration (2 Servers) in Technical; I have 2 servers each running Windows 2003 with AD. the 1st is installed with ISA 2004, is configured for ...
  1. #1

    Join Date
    Nov 2009
    Location
    Woking
    Posts
    38
    Thank Post
    25
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Server Configuration (2 Servers)

    I have 2 servers each running Windows 2003 with AD. the 1st is installed with ISA 2004, is configured for RRAS and runs the DNS service. The 2nd is installed with Exchange Server 2003 + GFI, runs the DNS service and also runs the DHCP.

    If both machines are up and running there are no problems but if one or the other fails then staff cannot log on to the network and access their data.

    Q1 - What needs to be configured to allow staff to log on to the network regardless of one or the other servers failing (obviously not both ?

    Q2 - What part can DFS play in allowing staff to logon, access their profiles, personal and common school data?

    I have intentionally left the questions broad based because although I am familiar with setting up a single server domain I have no experience with multiple server domains .

    Many Thanks in anticipation

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,691
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    To answer this propperly we may need more information about your network, it it under multiple subnets?

    Q1)The minimum for logon is an AD server with DNS and DHCP (assigning the first half of your IPs), the other would need to be configured with AD and as a Global Catalogue server so that it cached credentials, have DNS installed and also DHCP assigning the other half of your avalible IPs.

    Given that one is an ISA server running multiple roles like that is going to cause you greif as ISAs goal is to block stuff, by opening up services on it you are effectivly pokeing many holes in your security barrier that are exploitable and have to make sure that ISA does not step on anything that it shouldn't which can be tricky.

    Q2) DFS is a file redirection and replication service, unfortunatly unless you have 2003 R2 the replication feature included is very unstable with anything more than say 40mb of data total and will trash your data. Even if you do have R2 then it is still a bit iffy replicating large amounts of quickly changing data between two servers and can have tragic concequences.

    The best way to share the data equally between both servers would probably involve investment in a SAN and a couple of Windows Server Enterprise liscences so that you could cluster them together and run a clustered file system that both servers could access at once. You would then run your ISA server seperatly as a VM on one of them which would get rid of any conflicts. Unfortunatly this option involves a fair chunk on investment.

  3. #3

    Join Date
    Apr 2006
    Posts
    382
    Thank Post
    23
    Thanked 95 Times in 61 Posts
    Rep Power
    44
    Am I right in thinking that with DFS you still need to nominate one server as the host for the root, so there is still a single point of failure there?

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,691
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Quote Originally Posted by theriver View Post
    Am I right in thinking that with DFS you still need to nominate one server as the host for the root, so there is still a single point of failure there?
    You can have a domain integrated root which is handed out by AD and so will cope with a server failure like

    \\domain\dfsroot\share or \\domain.internal.school.uk depending on how you choose to type in scripts and such

  5. Thanks to SYNACK from:

    PaulO99 (7th January 2010)

  6. #5

    Join Date
    Nov 2009
    Location
    Woking
    Posts
    38
    Thank Post
    25
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Synack, that is my understanding of DFS but what I cannot definitively find is what, if any, user files associated with logons / profiles can be (or need to be) placed within DFS.

  7. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,691
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Quote Originally Posted by PaulO99 View Post
    Thanks Synack, that is my understanding of DFS but what I cannot definitively find is what, if any, user files associated with logons / profiles can be (or need to be) placed within DFS.
    Any roaming user profiles would need to be included but again if it is rapidly changing data certain changes may not be replicated in time, ie a log off on one PC then on to another may not pick up changes made as it takes some time to mirror from one server to the other. If the second PC looks to the other server it may not get the changed information. Also when the data gets well out of sync it will do strange things like duplicate folders or delete files in both locations trashing the entire lot.

    If you are using mandatory profiles or local ones then this would not be an issue however and so long as the sysvol share is avalible from both servers (replicated automaticly id AD is installed on teh server) and the mandatory profile location is replicated then logging in should work fine.

    Documents however would definatly cause issues unless you are using R2 and have like 5-6 users total.

  8. Thanks to SYNACK from:

    PaulO99 (7th January 2010)

  9. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Q1)The minimum for logon is an AD server with DNS and DHCP (assigning the first half of your IPs), the other would need to be configured with AD and as a Global Catalogue server so that it cached credentials, have DNS installed and also DHCP assigning the other half of your avalible IPs.
    A slight variation of this would be a server running AD with DNS, GC and DHCP with conflict detection set to 1 or greater. This would prevent two DHCP databases leasing the same IPs without checking whether the IP is already leased.

  10. Thanks to Michael from:

    PaulO99 (7th January 2010)

  11. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    Personally I would never store profiles within DFS or Sysvol. Replication times will be greatly increased and can slow the network right down.

    Mandatory profiles are an attractive option, but not always suitable. Realistically if I had thousands of users I would create multiple Profiles$ shares per physical server. In the event of a failure a percentage of users would be affected and could theoretically use cached information. It really depends how the rest of the domain and policies are configured.

  12. Thanks to Michael from:

    PaulO99 (9th January 2010)

  13. #9
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,723
    Thank Post
    206
    Thanked 254 Times in 206 Posts
    Rep Power
    65
    Your asking alot from your two servers!

    As mentioned above: Both DCs will need to run The global Cat service just check the box in sites and services.

    I'd not use DFs in your case, I'd recommend to setup offline files instead that will fufill most needs of users until you can get the system back up.

  14. Thanks to chazzy2501 from:

    PaulO99 (9th January 2010)

  15. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,691
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Quote Originally Posted by chazzy2501 View Post
    Both DCs will need to run The global Cat service just check the box in sites and services.
    Just a clarification there, only the secondary server should be running GC as the primary will be running the Infrastructure Master role, you should not run the IM role and GC on the same server or it can cause corruption of AD. Offline files is a good idea depending on your deployment though as for limited user machines like office ones it could work well. It may cause issues on multi user machines like class ones though.

  16. Thanks to SYNACK from:

    PaulO99 (9th January 2010)

  17. #11
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,723
    Thank Post
    206
    Thanked 254 Times in 206 Posts
    Rep Power
    65
    Just a clarification there, only the secondary server should be running GC as the primary will be running the Infrastructure Master role, you should not run the IM role and GC on the same server or it can cause corruption of AD. Offline files is a good idea depending on your deployment though as for limited user machines like office ones it could work well. It may cause issues on multi user machines like class ones though.
    Sorry and not to go off topic to far, but I thought the IM role only comes into effect with cross domain object references? He only has one domain.
    Last edited by chazzy2501; 8th January 2010 at 07:20 PM.

  18. Thanks to chazzy2501 from:

    PaulO99 (9th January 2010)

  19. #12

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,691
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Quote Originally Posted by chazzy2501 View Post
    Sorry and not to go off topic to far, but I thought the IM role only comes into effect with cross domain object references? He only has one domain.
    I could be confused with the RID master but I know that having both the main database and a cached copy on the same server comes with dire warnings in all the MS books and docs that I have read.

  20. Thanks to SYNACK from:

    PaulO99 (9th January 2010)

  21. #13
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,723
    Thank Post
    206
    Thanked 254 Times in 206 Posts
    Rep Power
    65
    We need an umpire! I'm (slowly) working on getting an MCSA and in my training it says that in an domain environment in order for a non domain administrator to log in at least 1 DC must be running the GC service, this illistration includes a single DC domain.

    I've inherited my domain and both DCs run the GC service and have for years with no issues or even log errors.

    I don't have my MCSA yet so I'll not stamp my feet, but this has made my sphincter twitch with worry!

  22. Thanks to chazzy2501 from:

    PaulO99 (9th January 2010)

  23. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,691
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Ah, I was right about the IM role but there are two situations when it is ok, one of which is the setup you describe:
    Rule Three: In each domain, make sure that the Infrastructure Master role is not held by a domain controller that also hosts the Global Catalog, but do make sure that the Infrastructure Master is a direct replication partner of a domain controller hosting the Global Catalog that resides in the same site as the Infrastructure Master. Note however that this rule does have some exceptions, namely that the Infrastructure Master role can be held by a domain controller hosting the Global Catalog in two circumstances: when there is only one domain in your forest or when every single domain controller in the domain also hosts the Global Catalog.
    Managing Active Directory FSMO Roles

  24. Thanks to SYNACK from:

    PaulO99 (10th January 2010)

  25. #15
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,723
    Thank Post
    206
    Thanked 254 Times in 206 Posts
    Rep Power
    65
    I was wondering if we were mixing the GC service with Universal group mebership caching.

    It would speed up logins on DCs not running GC service, by caching credentials and doesn't use as much bandwidth as GC (no replication). This unfortunately wouldn't allow a non administrator to login in without a GC.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 6
    Last Post: 2nd October 2009, 12:21 PM
  2. ISA Server Configuration
    By actech in forum Windows
    Replies: 4
    Last Post: 9th September 2008, 12:27 PM
  3. Server Rack Configuration Tool
    By mortstar in forum Wireless Networks
    Replies: 1
    Last Post: 21st January 2008, 12:04 PM
  4. RAID 5 Configuration On Server 2003
    By AngryITGuy in forum Windows
    Replies: 7
    Last Post: 17th January 2008, 09:21 PM
  5. Replies: 2
    Last Post: 5th December 2007, 12:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •